Trying to remove trojans - Downloader HGT, VOX and Clicker.FR

Having problems with trying to remove 3 trojans. AVG is telling me that the three are Generic.VOX, Downloader.Generic.HGT and Clicker.FR. Here is the log from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:50 PM, on 10/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4F9B07CE-1D8A-79FC-9A71-EBAB96F3EC21} - msag.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {F0A67C45-6792-405A-80E0-6D820583621D} - C:\WINDOWS\system32\apiqm.dll (file missing)
O3 - Toolbar: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ieeh32.exe] C:\WINDOWS\system32\ieeh32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [yrgsq.exe] C:\WINDOWS\system32\yrgsq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe "
O4 - HKCU\..\Run: [ERTYDF] SysEntry.exe
O4 - HKCU\..\Run: [PasswdMon] sound64.exe
O4 - HKCU\..\Run: [teqq32] ActionScr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102928057562
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D87CE5-B729-4D90-B9F7-D93F750AB9E0}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Network Security Service (NSS) (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINDOWS\winaf32.exe (file missing)
O23 - Service: OracleOraHome92iClientCache - Unknown owner - C:\Program~1\Oracle\BIN\ONRSD.EXE (file missing)

 

Welcome to WindowsBBS Forums.

What you have, ore part of what you have is a Wareout infection, please run the fix described below to remove that part from your system, afterwards we'll have some more cleaning likely.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

 

After running fixwareout this is what was output

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD "=hex(7):00
.....
End vxd check
.....
please post this at the forum

 

I'm afraid we had an error due to a missing file.

Go here and run the fix appropriate to your version of Windows:

http://www.tech-forums.net/computer/topic/29806.html

Then re-run Fixwareout please, thanks.

 

Thanks for the help so far, here are the latest results


Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EC06CD2FC954-587A-71A4-F7DF-280BBD9B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4EBF95AECB2A-9B08-3444-957C-6A41678A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}85ADEC297014-CB5B-D174-B9C6-810695DB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A1A442A3E824-056A-7974-909D-D330530A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2D61700A8E22-0DBB-1094-D058-41C34571{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}952A810D1AA3-8049-1B64-358B-5DB5FC08{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C6F0F930B63-CF79-AE44-6351-E0488AB4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5F5F12DD1E30-2CE8-5B14-DA11-3E1A61F9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DAC78C99B6F8-4CA8-B8E4-32E9-15B74C89{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}43F66B6A9B24-4A59-3644-ADE2-9806623D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB07F2297EEF-DEF8-F224-4B7F-E04ED1E7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}514A39EAADDC-C4C8-9074-EDC8-D6F04B23{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5F059078824E-2118-DF24-AC9A-23E6555A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D804F95CCE26-6599-B714-94DD-A1FE8887{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}81B6290BE708-9D3A-6054-55DE-5C9C2F6A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F4C4F06D5A7-F51B-6EC4-FE5C-73E40FB3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A7F4450FD37-7F3B-1854-07D2-521D02C5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E88888BE626C-3BEB-A794-0320-E0F9E6D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3807626264F1-998A-D374-22F7-1D78BBF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}83074175AD2E-7939-FDE4-B573-66F49711{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E561D4AE3BB8-ACF9-B284-326A-0AAA23D7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1DF454544999-17E8-4724-E82D-61275080{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24B25945C7FF-5A98-4814-F347-C1A20AFA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}38C911EEF286-BA78-BC74-8CA0-B880008B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DA00379D94D6-9C1A-5204-079B-8D2E3298{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EEF760BF9FF6-09FA-6D84-7146-C8E576E0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F4247D9BE4C-9E9B-5A44-7ECF-4F9166AA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}40B79123A475-964A-FF54-6B1B-75877B55{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1661E75CF5F8-6008-7A34-824F-0365FA8E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7643FE96D7C4-E5E9-AF34-3A8E-A48AF5E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A3CDCD830CCF-876B-64A4-E5A0-49070F83{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0FDC807B5D23-6788-13A4-EF2C-594B88A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC95B2507663-3079-5464-0B07-E1DB1EB6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}894D7F525869-34FB-9B74-1EF2-95249056{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}22B402D8997F-A888-3B14-0285-2B8FAB0F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5B876A8F9DBC-1D79-E494-FB20-A8AFEA9C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EAFA2E45B17B-BBAB-11B4-3E3A-B52883FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D35A57CC246-8ACA-8144-B35A-5565A4E6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F7F88EF5E543-68A9-0CB4-CD21-9443618C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A27E61247078-E25B-AC64-7B04-EED9D838{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9101DE8EC7E1-6A4B-40A4-92A9-A96D038B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FD331A76DDE9-9C48-C4B4-D06C-DFBB4F28{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D7E692B9A143-3508-AD14-22AD-0CB025E9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD3FC95B40E1-40A8-0594-916C-9B009377{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}698B1F728DEA-E30B-A374-B9DB-433FF7FA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}641879F6B9DA-D109-4314-2213-4EDF59EF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D9B0A9A78A1A-73C9-DD54-3098-4D243E14{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6A65EB53BC47-E93A-FC84-8096-5E3CC9F7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E979726A7E66-EE6A-9294-5FD0-F378E95B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E9BD31EDE786-F57A-1524-A4E6-0A1B52BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7FE7395954C4-FA38-AE94-3D33-3E654FB0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F1E02318F436-9629-E774-1F1D-84A53170{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}12F701CFD2FC-BD1A-8A74-4005-392E8FF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9A4EDE27CB4-098B-B0B4-C636-91985F1F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EDE3C4077AAD-90BA-3594-B7E4-CCF64258{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}391E647857CC-A4EA-2744-F92B-EF661988{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B4CC494B1BE3-EC6A-53B4-5402-8408E39D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2A4111D26A63-C3D9-F9F4-D7AA-A938EFF2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\qsjmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AF544585662F-720A-22F4-708A-997B33A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmjsq.exe "=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSJMU.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\{89AFA~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSJMU.EXE 51,244 2006-07-03
C:\WINDOWS\SYSTEM32\DMJSQ.EXE 44,076 2004-08-03
Other suspects
Directory of C:\WINDOWS\system32
{89AFA3B6-D009-4C30-AE55-DCDF301AC5A7}.dll
{2FFE839A-AA7D-4F9F-9D3C-36A62D1114A2}.exe
{D93E8048-2045-4B35-A6CE-3EB1B494CC4B}.exe
{E329843D-DCAB-4BD5-B19F-8A0E1017384F}.exe
{889166FE-B29F-4472-AE4A-CC758746E193}.exe
{85246FCC-4E7B-4953-AB09-DAA7704C3EDE}.exe
{F1F58919-636C-4B0B-B890-4BC72EDE4A9B}.exe
{9FF8E293-5004-47A8-A1DB-CF2DFC107F21}.exe
{D1D4B56B-4D42-42CA-BC98-0917B1430717}.exe
{3B479959-6E8F-4121-AAF4-DB3920309439}.exe
{EC85EBBC-81DB-43F1-8477-52D486E3E06D}.exe
{8A3208BE-5676-4C13-8464-9C6F14EF6810}.exe
{07135A48-D1F1-477E-9269-634F81320E1F}.exe
{0BF456E3-33D3-49EA-83AF-4C4595937EF7}.exe
{CB25B1A0-6E4A-4251-A75F-687EDE13DB9E}.exe
{B59E873F-0DF5-4929-A6EE-66E7A627979E}.exe
{7F9CC3E5-6908-48CF-A39E-74CB35BE56A6}.exe
{41E342D4-8903-45DD-9C37-A1A87A9A0B9D}.exe
{FE95FDE4-3122-4134-901D-AD9B6F978146}.exe
{AF7FF334-BD9B-473A-B03E-AED827F1B896}.exe
{773900B9-C619-4950-8A04-1E04B59CF3DA}.exe
{9E520BC0-DA22-41DA-8053-341A9B296E7D}.exe
{82F4BBFD-C60D-4B4C-84C9-9EDD67A133DF}.exe
{B830D69A-9A29-4A04-B4A6-1E7CE8ED1019}.exe
{838D9DEE-40B7-46CA-B52E-87074216E72A}.exe
{C8163449-12DC-4BC0-9A86-345E5FE88F7F}.exe
{6E4A5655-A53B-4418-ACA8-642CC75A53D3}.exe
{EF38825B-A3E3-4B11-BABB-B71B54E2AFAE}.exe
{C9AEFA8A-02BF-494E-97D1-CBD9F8A678B5}.exe
{F0BAF8B2-5820-41B3-888A-F7998D204B22}.exe
{65094259-2FE1-47B9-BF43-968525F7D498}.exe
{6BE1BD1E-70B0-4645-9703-3667052B59CF}.exe
{0A88B495-C2FE-4A31-8876-32D5B708CDF0}.exe
{38F07094-0A5E-4A46-B678-FCC038DCDC3A}.exe
{5E5FA84A-E8A3-43FA-9E5E-4C7D69EF3467}.exe
{E8AF5630-F428-43A7-8006-8F5FC57E1661}.exe
{55B77857-B1B6-45FF-A469-574A32197B04}.exe
{AA6619F4-FCE7-44A5-B9E9-C4EB9D7424F1}.exe
{0E675E8C-6417-48D6-AF90-6FF9FB067FEE}.exe
{8923E2D8-B970-4025-A1C9-6D49D97300AD}.exe
{B800088B-0AC8-47CB-87AB-682FEE119C83}.exe
{AFA02A1C-743F-4184-89A5-FF7C54952B42}.exe
{08057216-D28E-4274-8E71-999445454FD1}.exe
{7D32AAA0-A623-482B-9FCA-8BB3EA4D165E}.exe
{11794F66-375B-4EDF-9397-E2DA57147038}.exe
{9FBB87D1-7F22-473D-A899-1F4626267083}.exe
{5D6E9F0E-0230-497A-BEB3-C626EB88888E}.exe
{5C20D125-2D70-4581-B3F7-73DF0544F7A9}.exe
{3BF04E37-C5EF-4CE6-B15F-7A5D60F4C4F1}.exe
{A6F2C9C5-ED55-4506-A3D9-807EB0926B18}.exe
{7888EF1A-DD49-417B-9956-62ECC59F408D}.exe
{A5556E32-A9CA-42FD-8112-E428870950F5}.exe
{32B40F6D-8CDE-4709-8C4C-CDDAAE93A415}.exe
{7E1DE40E-F7B4-422F-8FED-FEE7922F70BF}.exe
{D3266089-2EDA-4463-95A4-42B9A6B66F34}.exe
{98C47B51-9E23-4E8B-8AC4-8F6B99C87CAD}.exe
{9F16A1E3-11AD-41B5-8EC2-03E1DD21F5F5}.exe
{4BA8840E-1536-44EA-97FC-36B039F0F6C7}.exe
{80CF5BD5-B853-46B1-9408-3AA1D018A259}.exe
{17543C14-850D-4901-BBD0-22E8A00716D2}.exe
{A035033D-D909-4797-A650-428E3A244A1A}.exe
{BD596018-6C9B-471D-B5BC-410792CEDA58}.exe
{A87614A6-C759-4443-80B9-A2BCEA59FBE4}.exe


Logfile of HijackThis v1.99.1
Scan saved at 6:37:25 PM, on 11/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dominic\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4F9B07CE-1D8A-79FC-9A71-EBAB96F3EC21} - msag.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{18578197-30BE-4B4C-9614-AF081FA56466}.dll
O2 - BHO: (no name) - {F0A67C45-6792-405A-80E0-6D820583621D} - C:\WINDOWS\system32\apiqm.dll (file missing)
O3 - Toolbar: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{18578197-30BE-4B4C-9614-AF081FA56466}.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ieeh32.exe] C:\WINDOWS\system32\ieeh32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iewpq.exe] C:\WINDOWS\system32\iewpq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ERTYDF] SysEntry.exe
O4 - HKCU\..\Run: [PasswdMon] sound64.exe
O4 - HKCU\..\Run: [teqq32] ActionScr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102928057562
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D87CE5-B729-4D90-B9F7-D93F750AB9E0}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Network Security Service (NSS) (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINDOWS\winaf32.exe (file missing)
O23 - Service: OracleOraHome92iClientCache - Unknown owner - C:\Program~1\Oracle\BIN\ONRSD.EXE (file missing)

 

Logfile of HijackThis v1.99.1
Scan saved at 9:28:36 PM, on 11/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4F9B07CE-1D8A-79FC-9A71-EBAB96F3EC21} - msag.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{18578197-30BE-4B4C-9614-AF081FA56466}.dll
O2 - BHO: (no name) - {F0A67C45-6792-405A-80E0-6D820583621D} - C:\WINDOWS\system32\apiqm.dll (file missing)
O3 - Toolbar: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{18578197-30BE-4B4C-9614-AF081FA56466}.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [ieeh32.exe] C:\WINDOWS\system32\ieeh32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gmnvz.exe] C:\WINDOWS\system32\gmnvz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ERTYDF] SysEntry.exe
O4 - HKCU\..\Run: [PasswdMon] sound64.exe
O4 - HKCU\..\Run: [teqq32] ActionScr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102928057562
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D87CE5-B729-4D90-B9F7-D93F750AB9E0}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Network Security Service (NSS) (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINDOWS\winaf32.exe (file missing)
O23 - Service: OracleOraHome92iClientCache - Unknown owner - C:\Program~1\Oracle\BIN\ONRSD.EXE (file missing)

 

OK, lets work this with an old fix for an old variant of CoolWebSearch.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

:arrow: Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

OK, here we go, pay close attention, double check all steps please.

***Disable any registry monitoring apps you have please, as they will interfere with the fixes HJT makes.

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply, but also, post another HJT log please, regardless of your trouble.

Please make sure that you can view all hidden files.
Enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Please download About:Buster from here: AboutBuster v6.03
Once it is downloaded extract it to c:\aboutbuster. Run it just long enough to make sure it is fully updated, then cose it. We will be using it later.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key, and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called Network Security Service . Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
DOES NOT APPLY


Step 3:
I now need you to delete the following files\folders if found:
C:\WINDOWS\system32\{18578197-30BE-4B4C-9614-AF081FA56466}.dll<<<--file
C:\WINDOWS\system32\apiqm.dll <<<--file
C:\WINDOWS\msopt.dll <<<--file
C:\WINDOWS\winaf32.exe <<<--file
C:\WINDOWS\system32\iewpq.exe<<<--file
C:\WINDOWS\system32\ieeh32.exe<<<--file
ActionScr.exe<<<--file
sound64.exe<<<--file[/b]


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.


Step 4:
Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

R3 - URLSearchHook: (no name) - {4F9B07CE-1D8A-79FC-9A71-EBAB96F3EC21} - msag.dll (file missing)


O1 - Hosts: localhost 127.0.0.1


O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{18578197-30BE-4B4C-9614-AF081FA56466}.dll

O2 - BHO: (no name) - {F0A67C45-6792-405A-80E0-6D820583621D} - C:\WINDOWS\system32\apiqm.dll (file missing)

O3 - Toolbar: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{18578197-30BE-4B4C-9614-AF081FA56466}.dll


O4 - HKLM\..\Run: [ieeh32.exe] C:\WINDOWS\system32\ieeh32.exe

O4 - HKLM\..\Run: [iewpq.exe] C:\WINDOWS\system32\iewpq.exe

O4 - HKCU\..\Run: [ERTYDF] SysEntry.exe

O4 - HKCU\..\Run: [PasswdMon] sound64.exe

O4 - HKCU\..\Run: [teqq32] ActionScr.exe


O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)


O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab


O17 - HKLM\System\CCS\Services\Tcpip\..\{22D87CE5-B729-4D90-B9F7-D93F750AB9E0}: NameServer = 85.255.115.74,85.255.112.129

O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: NameServer = 85.255.115.74,85.255.112.129

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129


O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129


O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)


O23 - Service: Network Security Service (NSS) (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINDOWS\winaf32.exe (file missing)


Step 5:

In the next step we are going to remove a service that gets installed by this malware and clean up the registry.

Download cws-hsa reg file to your desktop.

1. When it has completed downloading, double-click on the cws-hsa.reg file.

2. When Windows prompts about whether or not you want to merge this information, click on the Yes button.


Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.


Step 7:


Reboot your computer back to normal mode so that we can restore see if we need to restore some deleted files:

• Download the Hoster from here. Press "Restore Original Hosts" and press "OK ". Exit Program. This will restore the original deleted Hosts file.
  
• If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button.
  (Should the link fail, just uninstall, then re-install Spybot)
  
• Open IE, go to Tools>Internet Options>then click on the security tab, then click on custon label. Check the following settings:
  • Download Signed ActiveX controls-set to Prompt.
  • Download Un-Signed ActiveX controls-set to Disable.
  • Initialize and script ActiveX controls marked as unsafe-set to disable.

Step 8:

Please head over to either Trend Micro or Panda ActiveScan and do an online, free, full system scan. Be sure and have the 'Auto Clean' button checked.
Trend Micro
Panda ActiveScan

Reboot and post a last log please.

 

Logfile of HijackThis v1.99.1
Scan saved at 1:16:59 PM, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [dmyml.exe] C:\WINDOWS\system32\dmyml.exe
O4 - HKLM\..\Run: [svuhr.exe] C:\WINDOWS\system32\svuhr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102928057562
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D87CE5-B729-4D90-B9F7-D93F750AB9E0}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: NameServer = 85.255.115.74,85.255.112.129
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: OracleOraHome92iClientCache - Unknown owner - C:\Program~1\Oracle\BIN\ONRSD.EXE (file missing)

 

1) Please download the Killbox.
Save it to the desktop but do not run it.

Reboot into safe mode, then open Killbox and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\System32\svuhr.exe
C:\WINDOWS\System32\dmyml.exe


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Run HJT and fix the following entries:
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)


O4 - HKLM\..\Run: [dmyml.exe] C:\WINDOWS\system32\dmyml.exe

O4 - HKLM\..\Run: [svuhr.exe] C:\WINDOWS\system32\svuhr.exe



O15 - Trusted IP range: 206.161.125.149 (HKLM)



O17 - HKLM\System\CCS\Services\Tcpip\..\{22D87CE5-B729-4D90-B9F7-D93F750AB9E0}: NameServer = 85.255.115.74,85.255.112.129

O17 - HKLM\System\CCS\Services\Tcpip\..\{717E25BB-2E91-4EC1-BD62-8D3A020E6A83}: NameServer = 85.255.115.74,85.255.112.129

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.129

Reboot, post new log file please.

 

Logfile of HijackThis v1.99.1
Scan saved at 5:59:25 PM, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102928057562
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: OracleOraHome92iClientCache - Unknown owner - C:\Program~1\Oracle\BIN\ONRSD.EXE (file missing)

So far so good, it appears that the Clicker.FR has been removed, I still have though what appears to be a html page running on my desktop over the background image and it flickers between two colours. Can't seem to remove it or find a program that can detect it. It appears to be called desktop.html but i can't find it.

Your help so far is much appreciated!

 

I'm just getting to sleep, but try this:

Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK.

Let me know.

 

Well what can I say? Thank you very much! That **** has gone from my desktop and the computer seems to be working trojan free. Once again thank you very much for your help and all the time and effort you have put in.

Thank You.

 

Excellent news!! Glad to hear all is well again.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

Now that you have regained control of your machine, lets keep it clean. Please follow the links below to ensure the highest possible level of protection against any further invasions. The links and the apps are some of the most highly regarded apps in the field of security/protection & detection. Run AdAware & Spybot at least once a week, depending on your surfing habits.
Spybot Search & Destroy v1.4
Ad-Aware SE Free v1.06r

With AdAware and Spybot: DL, install then check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next.

SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.
With Spyware Blaster, just DL, check for updates, enable Internet Explorer protection, and your done! I don't recommend using 'Restricted Sites' protection in SpywareBlaster nor the 'Immunize' feature in Spybot, you can get far greater coverage with IE-SPYADs, listed below.

To avoid known malware infested sites from loading in IE install IE-SPY ADS.
And MVPS Hosts File will provide another layer of protection.

And to prevent unknown applications from being installed on your machine install WinPatrol v9.8.1.0.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Tutorials for all can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!
Tom